search

jlevers / selling-partner-api

A PHP client library for Amazon's Selling Partner API
BSD 3-Clause "New" or "Revised" License
398 stars 185 forks source link

403 Unauthorized for Notification Subscriptions #390

Closed mroffice closed 1 year ago

mroffice commented 2 years ago

Problem description:

Sorry for yet another 403 Unauthorized issue! I'm sure it's a configuration problem somewhere but I can't figure it out.

I can access CreateDestination, GetDestination but nothing to do with Subscriptions. Am I right in thinking the package automatically handles the grantless request (e.g. CreateDestination) as that went through fine? Now trying to create a subscription for that destination is gives the 403 error.

I thought it might be related to marketplace but only the ANY_OFFER_CHANGED notification type you can specify the marketplaces to subscribe to - so that's my example below. I also tried another couple of notification types (and only passing in the destination_id and payload_version to the CreateSubscriptionRequest).

The access policy on my SQS queue is exactly as given in the documentation

Is the user id given (437568002678) marketplace specific maybe??

My App type is SP-API only - I don't need access to MWS as well for this do I??

Any help much appreciated.

{
  "Version": "2012-10-17",
  "Id": "Policy1661940035104",
  "Statement": [
    {
      "Sid": "Stmt1661940033264",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::437568002678:root"
      },
      "Action": [
        "sqs:GetQueueAttributes",
        "sqs:SendMessage"
      ],
      "Resource": "arn:aws:sqs:eu-west-1:XXXXXXXX:SPAPI"
    }
  ]
}

Error:

[403] { "errors": [ { "message": "Access to requested resource is denied.", "code": "Unauthorized", "details": "" } ] }

Code

        $this->config = new Configuration([
            "lwaClientId" => 'xxx',
            "lwaClientSecret" => 'xxx',
            "lwaRefreshToken" => 'xxx',
            "awsAccessKeyId" => 'xxx',
            "awsSecretAccessKey" => 'xxx',
            "endpoint" => Endpoint::EU,
            "roleArn" => 'xxx'
        ]);

        // Create Subscription
        $apiInstance = new NotificationsApi($config);
        $notification_type = 'any_offer_changed';
        $eventFilter = new SellingPartnerApi\Model\NotificationsV1\EventFilter([
            'marketplace_ids' => ['A1F83G8C2ARO7P']
        ]);
        $processingDirective = new SellingPartnerApi\Model\NotificationsV1\ProcessingDirective([
            'event_filter' => $eventFilter
        ]);
        $body = new SellingPartnerApi\Model\NotificationsV1\CreateSubscriptionRequest([
            'payload_schema' => '1.0',
            'destination_id' => 'xxxxxxxxxxxxxxxxx',
            'processing_directive' => $processingDirective
        ]);
        try {
            $result = $apiInstance->createSubscription($notification_type, $body);
            print_r($result);
        } catch (Exception $e) {
            echo 'Exception when calling NotificationsV1Api->createSubscriptionRequest: ', $e->getMessage(), PHP_EOL;
        }

Seller Central SP API config page screenshot

Screenshot 2022-08-31 at 14 39 41
mroffice commented 2 years ago

Also had a thought that it might be to do with developer roles, here are mine:

Screenshot 2022-08-31 at 14 59 05
mroffice commented 2 years ago

Ok just an update so Developer Support Team suggest that Direct-to-Consumer Delivery (Restricted) role must be applied for to access the getSubscription/createSubscription requests.

I think they must be wrong because it makes no sense to block all requests to the request itself just because some of the parameters than can be requested would be from restricted roles. Furthermore there is no mention of the Subscription requests in the documentation for Direct-to-Consumer Delivery..

For example I can request a report fine, but get a 403 if I request a report that belongs to a restricted role. I would assume the notification api is the same.. so waiting for clarification..

mroffice commented 2 years ago

Another update - Amazon Developer Support have suggested it is something to do with the signing of the request - "Please confirm if you are using the AWS credentials to sign the request" - are they sending me on another wild goose chase?

Can anyone confirm if I can send requests to other APIs (e.g. Reports API) successfully - the signing mechanism is the same for Notifications API so I should be able to send requests without the 403 Unauthorized?

gokigoks commented 2 years ago

I am using the jlevers package on the products, reports, and feeds endpoints and have not run into a signing issue. The library should already be handling that. The catalog api is a pretty simple endpoint to test on to check if there is an issue with your credentials. If not, I would dump the variables/parameters being sent by the library to see if some values look off.

mroffice commented 1 year ago

I am using the jlevers package on the products, reports, and feeds endpoints and have not run into a signing issue. The library should already be handling that. The catalog api is a pretty simple endpoint to test on to check if there is an issue with your credentials. If not, I would dump the variables/parameters being sent by the library to see if some values look off.

Thanks for the reply. Haven't tried the Catalog API but I've no problem using the Reports API and some requests to the Notification API - just the reading/writing of subscriptions seems to be the problem. If the jlevers package is handling the signing of requests exactly the same across the APIs - then I just can't figure out what the problem might be - it must be something to do with Amazon's internal permissions and roles - I'll keep at them.

jlevers commented 1 year ago

i'm going to close this because it seems likely that it's an Amazon problem and not something to do with this library, but please feel free to reopen it if you find more evidence that the library is causing the issue, and/or think i can be helpful in resolving it.